Problem/Motivation

It doesn't seem TFA is linked to the user session. If you copy the url of the TFA form page (the one shown after the login form) and open it in a completely different browser, the page loads fine without re-requesting username/password and users can login after entering a valid TFA code.
I am assuming the URL paths of requests are logged, so someone with access to the logs could grab on of these URL paths and bypass providing the accounts username and password.
However, you still require that user's TFA token to log into the account or direct access to the back-end database to steal encryption keys for the TFA passcodes.

Steps to reproduce

  1. Enable and configure Drupal to use TFA
  2. Login using your user credentials.
  3. If you copy the url of the TFA form page (the one shown after the login form) and open it on a completely different browser, the page loads fine without re-requesting username/password
  4. And users can login after entering a valid TFA code

Proposed resolution

The URL has a randomly generated token which is most likely being used by the TFA module to identify and login the user but I think the proper process should link the TFA and the current user session.

Remaining tasks

Provide patch with implementation to link TFA hash to the user session.

Comments

joshua1234511 created an issue. See original summary.

joshua1234511’s picture

Issue summary: View changes
jcnventura’s picture

Status: Active » Closed (duplicate)

Unpublishing, as this should have been created as a security issue, but it already has been.

jcnventura’s picture

joshua1234511’s picture

@jcnventura can you please tag/provide link to the existing issue.

jcnventura’s picture

jcnventura’s picture